Improve SSL Support for Your WebLogic Domains

Introduction

Every WebLogic Server installation comes with SSL support. But for some reason many installations get this interesting error message at startup:

Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.

This looks odd and many people ignore these error messages. However, if your strategy is to show real error messages only, you are quickly looking for a solution. The Internet is full of possible solutions. Some recommend to remove the certificates from the JDK trust store, some recommend to use a different trust store. But is this the best solution and what are the side effects?

Main Article

Our way to the solution starts by understanding the error message. Here it is again.

Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.

The first sentence is the result while the second sentence explains the reason. Looking at the reason, we quickly find the “certificate parsing exception“. But what does “PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11” tell us?

  • PKIX stands for the Public Key Infrastructure (X.509). X.509 is the standard used to export, exchange, and import SSL certificates.
  • OID stands for the Object Identifier. Object Identifiers are globally unique and organized in a hierarchy. This hierarchy is maintained by the standards bodies in every country. Every standards body is responsible for a specific branch and can define and assign entries into the hierarchy.

With this background information we can lookup the number 1.2.840.113549.1.1.11 in the OID Repository (see References for the link) and get this result “iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha256WithRSAEncryption(11)“.

Combining the certificate information in the first sentence and the information from the OID lookup we have the following result:

The certificate from CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US uses SHA256WithRSAEncryption which is not supported by the JDK!

You will probably see more messages for similar or different encryption algorithms used in other certificates.

The Root Cause

These factors cause this (and similar) error messages:

  • By default the Java Cryptography Extension (JCE), that comes with the JDK, implements only limited strength jurisdication policy files.
  • The default trust store of the JDK that holds this and other certificates can be found in JAVA_HOME/jre/lib/security/cacerts.
  • WebLogic Server versions before 12c come with the Certicomm JSSE implementation. The Certicomm implementation will not be updated because the required JDK already comes with the standard SunJSSE implementation.

The Problem

The Certicomm implementation works perfectly with many SSL certificates but does not support newer and stronger algorithms. Removing certificates from the default trust store or using a new trust store works only if you do not need to install third party certificates, for example from well known Certificate Authorities.

The Solution

To remove these error messages and support newer SSL certificates we have to do these steps:

  • Upgrade the jurisdication policy files with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files. You can download the Unlimites Strength Jurisdication files that fit for your JDK version from the Oracle Technology Network (see References). Follow the installation instructions that come with the distribution.
  • Enable SunJSSE Support in WebLogic Server
    • Login to Weblogic console
    • Go to [Select your Server] -> SSL -> Advance
    • Set “Enable JSSE” to true.
  • Restart your domain completely (including NodeManager)
    • If you start your domains with a WLST script:

      CONFIG_JVM_ARGS=’-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true’

    • If you start your domains with the scripts startWebLogic.sh, startManagedServer.sh, or startNodeManager.sh:

      JAVA_OPTIONS=’-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true’

Your Java and WebLogic environment is now ready to support newer SSL certificates!

Enjoy!

References

Add Your Comment